SEACEN Seminar on“INTERNAL AUDIT OF CENTRAL BANKS”Taipei, Taiwan, R.O.C.14-17 September 2004 Presented by Shamsul Islam Junior Joint Director Audit Department
SEACEN Seminar Organized by: South East Asian Central Bank Research & Training Centre (SEACEN Centre) Malaysia. Financed by: Bank of Japan (BOJ) Hosted by: The Central Bank of China (CBC)Taiwan.
Royal Monetary Authority of Bhutan Ministry of Finance, Brunei. Reserve Bank of Fiji. Bank Indonesia The Bank of Korea Bank Negara Malaysia The Bank of Mangolia. Nepal Rastra Bank State Bank of Pakistan. Bank of Papua New Guinea. Bangko Sentral ng Pilipinas. Central Bank of Sri Lanka. The Central Bank of China, Taipei. Bank of Thailand. Banking and Payments Authority of Tinor – Leste. Seminar Participants30 participants from the following 15 Central Banks/Monetary Authorities/Ministry of Finance.
Resource Persons. • Mr. John Graham Joscelyna CA(SA) CIA Director International Services UHY Advisers Inc. • Mr. Noriyuki Tomioka Director Internal Auditors’ Office Bank of Japan. • Dr. JIIN – FENG CHEN Associate Professor Department of Accounting, College of Commerce, National Chengchi University.
ISSUES FOR DISCUSSION IN THE SEMINAR. • Role of Internal Audit in Governance. • Identification of gaps in the Internal Audit Function and Opportunities for Improvement. • Internal Audit in the Risk Management Process. • Leveraging on Automation and Information Technology in Audit Engagements. • Impact of Regulations on Internal Audit. • Outsourcing of the Internal Audit Function. • Industry’s Best Practices in Internal Audit.
1. Role of Internal Audit in Governance • Entire audit process directly or indirectly linked with Governance Process. • Audit is an on going Governance Process through evaluation of the System of internal controls.
What should Governance mean to Audit. Process of oversight at board level. Relationship between board and management. Organization of executive functions Information flow Key Control Process. Transparency Authority Accountability Impacts the Bank from top to bottom. Determines the control environment. Influences the bank’s culture.
Pre-requisite for Auditors in relation to Governance • Authority in Internal Audit Charter/IA Mandate. • Competence on the part of Auditors. • Real desire of Board and Management to include Auditors.
What should be auditor’s relationship with his auditees. Facilitator • Picking up on their issues. • Questioning them on their needs. EducatorVerification Checklist • Sharing best practices • Sharing movement in Governance practice. Listener • Listen more from auditee so that auditor may educate and facilitate them.
What can Auditor do? Share Professional Best Practices • What reporting works best. • Usefulness of an independent audit • Usefulness of audit to the auditee. • How value is added to the performance of auditee. • Agree Audit Charter with the Board and Management. • Reporting of Audit activities to the Board. • Share International Internal Audit Standards and what they mean.
Objectives of these activities • Auditor has a voice in the Governance arena. • Auditor adds value to the views of the auditee. • Auditor is professional. • Auditor has an independent voice.
Increase understanding with regard to: • Code of Ethics. • Control Framework in the Bank. • Agreement on auditor’s work. • Agreement on the risks taken by the Bank. • Agreement on what auditor can and should do.
Reliance is also sought from other players. • Risk Managers. • Compliance Officer. • External Auditor.
Auditor’s leadership in Governance Process. • Adding value at the highest level. • Working at a strategic level. • Facilitating. • Enabling.
2) Identification of Gaps in the Internal Audit Function and opportunities for improvement. Gaps • IIAs standards. • Negative conception with regard to Auditors. • Level of competence in risk based auditing. • Auditor as “watchdog” and “faultfinder”. • Less emphasis on scientific audit programs. • Designing and implementing of flow charts in audit process. • Preparation of check list and their applications. • Designing of questionnaire for the auditee.
Gaps Cont……… • Central Bank experience – Professional qualifications. • Professional qualifications – Central Bank experience. • I.T. experts - Experience of Central Bank working. • Central Bank working experience - I.T. expertise. • Lack of coordination and understanding between Internal and External Auditors.
Opportunities for improvement: • Adoption of IIAs Standards. • To further educate the auditee with patience behavior. • To increase the level of competency in risk based auditing through training and by changing audit methodology. • To switch over in role of auditor from “watchdog” and “faultfinder” to the educator/facilitator/mentor. • To prepare scientific audit programs • To design and implement flow charting. • To use check list and questionnaire during the audit process.
Opportunities for improvement: cont’d….. • To arrange short courses/training for the officials who have a handsome experience but far behind the professional qualifications regarding audit. • Auditors other than I.T. should impart the I.T. training. • Top level management/Audit Committee should ensure the coordination and better understanding between Internal and External auditors.
3. Internal Audit in the Risk Management Process. Change in the role of Audit. • Watchdog/Faultfinder – Risk identifier/educator. Change in Audit Methodology. • Compliance based audit/Financial audit – Risk Based audit.
Risk Based Audit Process • Understanding of risks faced. • Assessing the exposures.
Risk Based Audit Process Cont’d…… • Gather information and plan. • Knowledge of departments/segments/objectives. • Understanding of operations and procedures. • Prior year’s audit results. • Regulatory statutes, approved policies. • Identifying risk associated with segment/process.
Risk Based Audit Process Cont’d…… • Obtain understanding of Internal Control • Control environment. • Control procedures. • Matches of associated risks with controls.
Risk Based Audit Process Cont’d…… • Perform Audit Tests • Test effectiveness of controls and other substantive audit procedures.
Risk Based Audit Process Cont’d…… • Conclude the Audit • Analyse the audit findings. • Discuss with departmental heads and draw conclusion. • Recommendation for improvements. • Draft Report.
Risk Evaluation Family Internal Auditor RiskManager Compliance Officer or Unit ExternalAuditor
Risk Based Audit Process Cont’d…… • Auditor’s own Risks. • Explicit Audit. • Delivering the right audit product. • Assuring the quality of work. • Maintaining professional reputation • Managing Human Resources.
4. Leveraging on Automation and Information Technology in Audit Engagements. • Why the automation is need of the time? • To increase in efficiency & productivity of Audit. • To increase in accuracy. • To eliminate storage of work papers. • To enable instantaneous communications. • To permit access of information via Internet. • To lower audit cost. • To faster the audit process.
Overall status of automation. • Initial / middle stage. • Working is being automated. • Designing of software. • Parallel Runs. • Partially live working. • Complete live working.
Usage of Software Tools. • In-house development. • Outsourcing the computerization. • Readymade Softwares.
Automation status in other Central Banks - SRILANKA • Payment System with - Real Time Gross Settlement (RTGS) • Government Debt Security Management with - Scriptless Securities Settlement System (SSSS). • Treasury and International Reserve Management with – Treasury Dealing Room Management System (TDRMS).
Computer Assisted Audit Tools and Techniques (CAATTs). • Readymade Softwares • Audit Command Language (ACL). • Sarbox Portal (SP) • Risk and Control Tracking System (RCTS). • Control Assessment Template (CAT). • Risk Navigator (RN). • Team Mate (TM). • Office-Suite Software.
Sarbanes – Oxley Software • 10th Annual Survey of Internal Audit Utilization of Software Tools • Why are you not using Sarbanes – Oxley Software? • Our Company is not subject to Sarbanes – Oxley – 79%. • Another Department in our organization handles Sarbanes – Oxley compliance 5%, • Sarbanes – Oxley compliance is outsource at our Organization – 1%. • These types of tools are too expensive – 8%. • Others – 10%.
5. Impact of Regulations on Internal Audit • Rules and Regulations may be National or International. • Evaluate how does it impact the Bank? • What about its stakeholders?
Rules and Regulations may relate to: • Best practices. • Leading Central Bank practices. • IMF suggestions or demands. • Money Laundering • Reserve Management. • Electronic Banking. • Generally Accepted Accounting Principles. • International Accounting Standards. • International standards of Auditing. • Income Tax Laws. • Rules and Regulations framed by SEC. • Corporate Governance Rules.
Impact on audit due to compliance of rules and Regulations • Cost. • Responsibility • Control Establishment • Scope.
Compliance of Regulations is every one’s business, therefore: • Is it in the risk assessment? • Is it understood in the Bank’s control environment? • Is it in the control activities of the Bank? • How does management see and acts? • How are regulatory issues communicated?
In compliance of the Regulations, information, communicated to the regulators: • Fair • Complete. • Transparent. • Independently verifiable by the Internal and External Auditor.
Impact of Incorrect information communicated to the regulators: • Lack of Trust • Disbelief • Lack of credibility.
6. Outsourcing of the Internal Audit Function • Kinds of outsourcing. • Special Project outsourcing. • Partial outsourcing. • Temporary staffing. • Full outsourcing.
Determining factors if the Internal Auditing be outsourced: • Will the outsourcing of Internal Audit effect the effectiveness of corporate governance? • What are the advantages and disadvantages of internal audit outsourcing?
Arguments in favour of Outsourcing: • Allows management to focus on core competencies. • Cost saving resulting from economies of scale. • Flexible access to expertise. • Access to leading practices.
Arguments against outsourcing: • By the lapse of time outsourcing provider will demand an ever greater premium for their services. • An external provider will not know the business as well, as the internal personnel do. • A valuable training ground is lost. • Morale of the personnel will be seriously impaired. • Individual Employee allegiance is to the outsourcing provider, not to the client. • Corporate governance is a management function which can not be outsourced. • Independence of external auditor will be impaired when the outsourcing provider is also external auditor. • Confidentiality is potentially lost. • Management and the audit committee lose an objective source of information.
Advantages of Outsourcing: • Smaller Organizations’ access to a broader set of skills. • Information systems audit skills – highly effective. • Innovative approaches – knowledge of “Best Practices”. • Integrated audit approach – Internal + External. • Active Management Participation – Provide direction and oversight.
Disadvantages of Outsourcing: • Loss of a second set of eyes and ears. • Confidentiality could not be maintained. • Outsource provider might be an auditor of commercial bank(s) to which central bank is monitoring. • Expertise leave the Organization. • Outsourcing does not build new managers. • Outsourcing does not have to live with the decisions or recommendations made – but still have pressure to retain the contract. • Difficult to rebuild internal auditing department, if outsourcing is not successful – dependency on one outside provider. • External Auditor may be lacking internal audit knowledge – material differences in perspective and execution:
Central Banks– Outsourced Internal Audit function of the Reserve Bank of Fiji is outsourced. • Justifications for outsourcing put forth by the representative of Reserve Bank of Fiji: • Cost effective. • Provides more independence and autonomy to the auditor. • Outsourcing addresses the problem of resource constraints. • Staff can be engaged in the core areas of the Bank. • Expertise in the field of audit were lacking. • Career paths and opportunities of audit personnel is limited as only one central bank in the country. • Skills required for auditing are readily available in the market.
Central Banks– Outsourced Cont’d…… • A few audit functions have been co-sourced by Central Bank of Srilanka. • The functions out sourced: • General Review of Information System. • Pay Role System. • Real Time Gross Settlement System (RTGS). • Justification for co-sourcing put forth by the representatives of Sri Lanka. • Early retirement of staff and the absence of expertise to special audit functions.
7. Industry Best Practices in Internal Audit Principles of Internal Audit. • Independence, objectivity and impartiality. • Audit should exercise their assignment without interference and are free to report their findings and appraisals. • Audit charter should be approved by the Board of Directors and should be communicated to all staff within the Bank. • Rotation of staff assignments within the audit department. • No involvement in the operations of the bank. • Recognition of the auditors’ independence in the audit charter. • Official internally transferred to audit department should not involve in the audit of his previous activity for a certain period.
Principles of Internal Audit Cont’d…. • Maintenance of professional competence: • On the job training. • Formal internal and external training. • Staff rotation within the Department. • Incentives to become a Certified Internal Auditor.